By enabling or disabling capabilities, you define authorization rules for entities, taxonomies, widgets, forms and views. The built-in WordPress roles can also be modified to support your app's authorization requirements. Unauthorized users see a message customizable per component basis.

As a general rule, if a capability is not assigned to any user role, it is assigned to visitors. Visitors are users who are not registered on your WordPress site.